[Ltb-users] ssp and ppolicy

Sebastian Perkins - Hoist Group - Switzerland sebastian.perkins at hoistgroup.com
Fri Sep 1 16:02:16 CEST 2017

Le 01/09/2017 à 14:45, Sebastian Perkins - Hoist Group - Switzerland a écrit :

>>If you use a blanck entry as binddn, you will not be able to use reset features (mail/questions/sms) as in this case the old password of the user is not known.

Silly me of course I simply cannot bind without the working pass :D

Some updates on the test I am performing :

·        ldapS is used with root dn bind

·        no salt, no hash ssp side to let the ldap server encode the pass itself (in order to key the pwdHistory entries identical)

Works fine from the classic "change" gui interface  ! (ppolicy returns the generic error message)

However our preferred token via mail option seems to bypasses the tests on policy (but updates the hashes with an identical one)...  and no "current pas" email, (which makes sense for a reset), but still bypasses...

I am using the stock debian Jessie package
dpkg --list | grep self
ii  self-service-password          1.0-2                              all          LDAP password change web interface

My understanding is that the reset token via mail - as it has no current password - binds with the root dn instead of the user dn and therefore bypasses ppolicy ?


Clément OUDOT

Consultant en logiciels libres, Expert infrastructure et sécurité

Savoir-faire Linux

137 boulevard de Magenta - 75010 PARIS

Blog: http://sflx.ca/coudot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-users/attachments/20170901/47c02457/attachment.html>

More information about the ltb-users mailing list